How can you find out what third party software is in your code?
Posted by Lacey Thoms on Thu, Jul 07, 2011 @ 01:33 PM
Ensuring you have compliant software product is important. At first, complying with third party software licensing may seem like a daunting task but there are two steps you can to make it easier.
First ensure you have a process in place to approve acceptable third party packages before they are used. Second, establish a baseline scan to give you an idea of what third party code already exists in your portfolio.
A software package pre-approval process defines and implements the procedures that determine approved software packages in an organization.
Package pre-approval is required in many organizations with tight third party software policies. It ensures only a limited, well understood and tightly controlled set of packages of specific release versions are used in products.
The software package pre-approval process involves the following steps:
a) Requests- where a developer can request a specific package to be authorized. The request contains as much information about the package as possible such as its name, authors, license, pointers to where additional information can be found or package could be obtained. Also the request should specify the way the package is going to be used in the product.
b) Logging- where a request database tracks requests and their approval status.
c) Investigation- where the examiners can examine a request which usually requires an audit of the requested package (manual or automated scanning).
d) Approval (or rejection)- Once a software package is approved, the package approval is logged and its status is available to the organization.
Next an existing code portfolio assessment involves auditing the existing portfolio and establishing a baseline of what already exists in the organization.
Establishing a baseline is best done with an automated tool, ideally linked to the digitally-captured software licensing policy and, if the organization has implemented package pre-approval process, also linked to the database of pre-approved packages.
Having a process in place makes license compliance throughout the software development cycle easier, speeds up development time and lowers costs associated with fixing problems later down the road.
A software code audit is another efficient way to determine what third party or open source packages exist in your code. Download our white paper to learn more about software code audits.